05/11/18: Kubernetes Unauthenticated API Access

Threat Summary

Overview

There is an information disclosure vulnerability in the Kubernetes API server container application. By default, the Kubernetes API server accepts unauthenticated requests (TCP port 10250/10255). Port 10255 is an HTTP read-only port. Port 10250 is over HTTPS and allows the execution of arbitrary commands. In addition to this, etcd, which is a key value store utilized by Kubernetes and other applications, is also left open by default on port 2379/12379. An attacker can make requests to the etcd service to reveal information about keys on a cluster or create/modify the keys.

Exploitation

Stages

An unauthenticated attacker makes an HTTP/S request to the Kubernetes API server. If the request is to the HTTP default port of 10255, the attack is an information disclosure. A request to port 10250 could allow the attacker to execute commands. In addition, an attacker can make requests to the etcd service in order to disclose further information about the node/cluster.

The server will respond with the requested information or an arbitrary OS command that is executed on the system.

Prerequisites

A remote unauthenticated attacker will need to discern whether a system is running Kubernetes. This can be done through various active/passive information gathering.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.